Your SlideShare is downloading. ×
0
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Application Streaming is dead. A smart way to choose an alternative

790

Published on

Application Streaming is dead. A smart way to choose an alternative

Application Streaming is dead. A smart way to choose an alternative

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
790
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
23
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Application Streaming is dead. A smart way to choose an alternative Denis Gundarev Entisys Solutions
  • 2. Agenda • What is Application Streaming (Virtualization)? • Application Virtualization internals • Overview of available solutions
  • 3. What is Application Virtualization? • Application is executed inside the sandbox isolated from operating system • Improves security (isolates insecurity) • Eliminate application conflicts Package Deliver Execute
  • 4. Every time you disable UAC… Steve Ballmer kills a kitten
  • 5. Every time you disable UAC… Satya Nadella kills a kitten Please, think of the kittens
  • 6. Every time you: • Modifying ACLs on Program Files or HKLM • Making user a local admin • Just give users SeBackup, SeRestore, SeCreateGlobal and SeLoadDriver privileges, but keep them as standard users
  • 7. Application Isolation Environments • Was introduced in MetaFrame Presentation Server 4.0 (2005) • Virtualization layer that redirects system resources • Virtualizes: – File system – Registry – Named objects (events, semaphores, etc) • Transparent to the application • Was a great compatibility aid for: – Applications which are not multi user friendly – Applications which have problems coexisting on the same server – Applications that cannot have multiple instances running simultaneously
  • 8. Launching initial process into AIE File System Isolation Isolation Environment Launcher (aierun.exe) Registry and Object Isolation Application (eg winword.exe) IMA 2. Launch application suspended 4. Resume process File System Object Manager Registry 5. Read rules from driver and start isolating 6. Application execution continues 3. Tell driver about AIE being launched. Pass down rules File System redirection Registry redirection Named Object redirection File System calls 1.Retrieve AIE data from IMA
  • 9. Isolation Environment Roots • Specifies directories and registry locations • User Profile Root – Changes made by the user reside here – Suitable for Multi-user incompatible applications • Installation Root – Per Isolation environment location – Enables conflicting applications to coexist
  • 10. Isolation Environment Rules •Three types of Rules: • Ignore • Redirect • Isolate
  • 11. Isolation Environment: IGNORE Rule • Used to create “holes” in an isolation environment • Virtual address is not modified by the virtualization system • Used to allow access outside of the isolation environment
  • 12. Isolation Environment: REDIRECT Rule • Redirects an application request for a file or registry key to a specified location – If an application creates the file, c:tempdata.txt, regardless of the user, then it might be sensible to redirect those files to c:aietemp%USERNAME% – This means, if UserA ran the application isolated, then c:tempdata.txt is created in c:aietempUserAdata.txt
  • 13. Isolation Environment: ISOLATE Rule • Per User: – Ensure that each user gets his own copy of the requested resource • Per Isolation Environment: – A single copy of the required system resource is created in the installation root location and shared by all users
  • 14. Application Streaming • Codenamed Project Tarpon • Introduced in Citrix Presentation Server 4.5 (2007) • Had 6 major releases before being deprecated • Still available with XenApp 6.5 and XenDesktop 5.6 • Completely removed in XenDesktop 7
  • 15. 2 Tarpon Client Extension of CPS Foundation remote users firewall firewall local users Access Gateway Advanced Access Control Web Servers Application Servers IMA Service PN Agent Persistent Store AIE PN Agent Access Management Console Tarpon App Subsystem Tarpon Session Subsystem Tarpon Client Tarpon Profiler License Server Web Interface AIE AIE Tarpon Client AIE Presentation Servers DatabasesFile Servers New Apps License Presentation Server Data Collector
  • 16. 2 Project Tarpon Infrastructure Profiling Station File Share / NAS Project Tarpon Server Farm Web Interface Clients SMB SMB HTTP/ HTTPS XML SMB License Server 27000
  • 17. 23 | Application Virtualization Internals
  • 18. How it works • Two main components of Application Virtualization: • Isolation/Redirection • Delivery mechanism • Optional features: • File type associations and OS integration • Rights Management and usage tracking • Packaging • Shareable sandboxes
  • 19. File I/O Redirection options • API Hooking • at USER or Kernel Level • Hooking CreateFile, OpenFile, DeleteFile, NtCreateFile, NtOpenFile, NtDeleteFile etc • Hooking into System Service Descriptor Table (SSDT) • • File System Filter Driver or Mini-Filter • Write file system driver to redirect virtualized file requests. •
  • 20. Registry Redirection Options • API Hooking at USER Level • Hooking advapi32.dll - RegCreateKeyEx, RegDeleteKeyEx etc • Hooking Ntdll.dll – NtCreateKey, NtDeleteKey etc • API Hooking at Kernel Level • Hooking SSDT – NtCreateKey, NtDeleteKey etc
  • 21. Players on App Virtualization Market
  • 22. Players on App Virtualization Market • Microsoft App-V • VMware ThinApp • CloudVolumes • Symantec Workspace Streaming • Spoon (Novell ZENworks) • Numecent Jukebox • FSLogix • Sandboxie • Microsoft Windows
  • 23. Microsoft App-V • Version 2.0 was released in 2002 by Softricity • ~8 major and ~50 minor releases before App-V 5.0 • App-V 5.0 is completely rewritten and released in 2012 • Available as a part of MDOP under SA • App-V 5.0 is only supported version for XenDesktop 7
  • 24. App-V 5.0 Cons • Requires SA • Requires management servers • Requires SQL • User-level apps only • Cannot virtualize drivers • Cannot isolate applications that are a part of the OS
  • 25. App-V Pros • Tons of information on Internet • Huge user community • Integration with System Center • Integration with XenDesktop • Managed by PowerShell
  • 26. VMware ThinApp • Uses user-mode hooks • Application packaging solution, just like PortableApps.com • emulates the Windows COM and DCOM • Supports Streaming Execution (SMB/CIFS) and Deployed Execution (i.e. USB) • Does not support installed Apps • No centralized management
  • 27. CloudVolumes • AppStack – basically a VHD or VMDK attached to a VM • Web-based management console that communicates with hypervisor • Full support for server software • Available Now: VMware ESX 5.0, 5.1, Coming soon… HyperV, Azure, Amazon EC2
  • 28. CloudVolumes
  • 29. CloudVolumes
  • 30. CloudVolumes pros • Server software support • No streaming or any other delivery mechanism • Combination of file system minifilters and a service • Text file-driven configuration • Storage segregation on the hypervisor layer • Per-machine or per-user assignments • No packaging
  • 31. CloudVolumes cons • Works with virtual workloads only • Came out of stealth mode in 2013 • Text file-driven configuration • No integration with VDI brokers
  • 32. Symantec/Altiris SVS • Now called Symantec Workspace Virtualization • Kernel-level hooks • Umanaged computers support • Application license management • Best in class integration with OS
  • 33. Spoon • Formerly Xenocode • Web portal for app access • Desktop integration • Works over HTTP/HTTPS • License management • Available as SaaS offering • Server software support • Auditing • Support for installed applications • Application snapshots
  • 34. Numecent Jukebox • HTTP-based streaming • Encrypted cache • Virtualized File System • DRM and license control • OPSWAT integration • Kernel-level file system driver • Web portal for user access • Currently targeted for ISVs and MSP • No publicly available demos or code
  • 35. Numecent Jukebox • Patents: • Software streaming system and method • Intelligent Network Streaming and Execution System for Conventionally Coded Applications • Rule-based application access management • Opportunistic block transmission with time constraints • Deriving component statistics for a stream enabled application
  • 36. FSLogix • AIE:Ressurection • Came out of stealth mode about in July 2013 • First release planned in Q3 2013 • No streaming, no packaging • Combination of file system minifilter and user-level hooks • Support changes in realtime • Text-file based configs with a GUI editor
  • 37. FSLogix
  • 38. FSLogix
  • 39. FSLogix
  • 40. Sandboxie • Isolated sandboxes for applications • Virtualizes Files, Disk Devices, Registry Keys, Process and Thread objects, Driver objects, and objects used for Inter-process communication: Named Pipes and Mailbox Objects, Events, Mutexs (Mutants in NT speak), Semaphores, Sections and LPC Ports • Not designed for VDI • Not designed for Enterprise • Developed by one person
  • 41. Microsoft Windows • UAC Virtualization is available out of the box • Application compatibility toolkit can be used to manage folder and registry redirection • No additional software needed
  • 42. What Are Shims? • Applied to specific apps – Configured with Compatibility Administrator in the App Compat Toolkit – Deployable to enterprise • Changes what the app thinks it sees • Does not change what app is allowed to do
  • 43. What Are Shims Good For? • Great for many kinds of bugs: – Bad Windows version checks – Writing to HKCR at runtime – Unnecessary checks for “am I admin?” – Writing to WRP-protected keys and files – Windows thinks your app is an installer – File/Registry redirections
  • 44. Version Lie Shims • Win95VersionLie • WinNT4SP5VersionLie • Win98VersionLie • Win2000VersionLie • Win2000SP1VersionLie • Win2000SP2VersionLie • Win2000SP3VersionLie • WinXPVersionLie • WinXPSP1VersionLie • WinXPSP2VersionLie • Win2K3RTMVersionLie • Win2K3SP1VersionLie • VistaRTMVersionLie • VistaSP1VersionLie • VistaSP2VersionLie • Win7RTMVersionLie
  • 45. Most Used Shims • VirtualRegistry – Fixes the problem with reading/writing registry value – AddRedirect ( HKLMKey ^ HKCUKey ^ HKLMKey2 ^ HKCUKey2) • CorrectFilePaths – Fixes the problem with reading/writing a file – c:Program.ini= %AppData%Program.ini • WRPRegDeleteKey – Lie when app tries to delete protected OS registry key • ForceAdminAccess – Spoofs queries of administrator group membership • VirtualizeDeleteFile – Spoofs deletion of global file • LocalMappedObject – Forces global section objects into user’s namespace • VirtualizeHKCRLite, VirtualizeRegisterTypeLib – Redirects global registration of COM objects
  • 46. Conclusion • There are many vendors on the market • If you care about App compatibility, take a look at simple solutions • Consider using SaaS-based services • Check the Application Virtualization Smackdown from Ruben Spruijt – http://www.pqr.com – 61 pages cover major vendors on the market
  • 47. Conclusion
  • 48. Contacts • @fdwl • meetup.com/BayCUG • denisg@entisys.com

×